?icro MEGAS
2014-Nov-02 00:07 UTC
[Samba] DC2 denies access when saving through the Gro
> OK, make sure that the two idmap.ldb files match and then run > 'samba-tool ntacl sysvolreset' on both machines and see if this cured > this problem.I did: root at dc1:~$ service sernet-samba-ad stop root at dc2:~$ service sernet-samba-ad stop root at dc2:~$ mv /var/lib/samba/private/idmap.ldb /root/idmap.ldb.bak root at dc1:~$ scp /var/lib/samba/private/idmap.ldb dc2:/var/lib/samba/private/ then I ensured that /var/lib/samba/private/idmap.ldb is exactly the same on dc1 and dc2. then... root at dc1:~$ samba-tool ntacl sysvolreset root at dc2:~$ samba-tool ntacl sysvolreset root at dc1:~$ service sernet-samba-ad start root at dc2:~$ service sernet-samba-ad start to be sure again I execute the sysvolreset command... root at dc1:~$ samba-tool ntacl sysvolreset root at dc2:~$ samba-tool ntacl sysvolreset but when I execute "samba-tool ntacl sysvolcheck" I still get the uncaught exception error on dc1 and dc2 :( Hi again, I followed https://wiki.samba.org/index.php/SysVol_Bidirectional_Replication#When_you_try_to_resync_the_folder and did a manual resync from dc1:/var/lib/samba/sysvol to dc2:/var/lib/samba/sysvol so I had a consistency again. The "samba-tool ntacl sysvolcheck" still fails with the uncaught exception error and I am not sure if this is a good sign. But independent of that I think I know why I am running into the issue that I described on that thread: When I add a new GPO on DC1, it has following owner and file mode: drwxrwx---+ 4 502 500 4,0K Nov 1 22:22 {1AC9641E-1234-47C7-8D8C-43A199220635} The owner of this new Group Policy Object is 502. That is my domain user "foo" which I has assigned the NIS/UNIX attribute uid=502 to. The group is 500 which is the gid=500 of my domain group "Domain Admins".After 5minutes the sysvol-sync (unison+rsync) is syncing that object successfully to DC2. When I do "ls -lh" on DC2 I get the same output. So fine so good, everything works fine and as expected until now. Now we do the reverse thing. I create a new GPO on DC2. The file mode on DC2 looks like that: drwxrwx---+ 3 502 500 4,0K Nov 1 22:29 {A783C43A-9DCA-434A-B28A-5E7D9C01EFD7} As we see the owner still is 502 that is equal to domain user "foo" and group id 500 which is "Domain Admins". After this object is synced to DC1, the object on DC1 thugh looks like that: drwxr-x---+ 3 root root 4,0K Nov 1 22:30 {A783C43A-9DCA-434A-B28A-5E7D9C01EFD7} So here's the culprit ==> When the unison/rsync bidirectional is syncing objects from DC1 to DC2 all is ok,the same owner and file attributes are synced. But objects synced from DC2 to DC1 change their owner/group and also the file modes. But *WHY* ? Is that a misconfiguration in the unison/rsync tutorial shown on https://wiki.samba.org/index.php/SysVol_Bidirectional_Replication Mirco. We see, the owner still is "foo" with uid=500 > Do things work if you test as "Administrator" (root) ?> achim?Unfortunately not... when I login with "MYDOM\Administrator" on DC2 and cretae a new GPO it looks like that on DC2: drwxrwx---+ 4 root 500 4,0K Nov 2 00:52 {562AB030-6351-42C1-9850-D5B12BF45570} As soon as sysvol sync runs the directory on DC1 looks like that: drwxr-x---+ 3 root root 4,0K Nov 2 00:55 {562AB030-6351-42C1-9850-D5B12BF45570} On this step, I even can't edit the GPO on DC2 where it worked before the unison sync started. That means, that after unison runs something is written also on the DC2 side, because DC2 won't let me allow to edit the GPO anymore. At this step, the GPO seems already to be not accessible. The summary is: ---------------------- Whatever I create/modify on DC2 will be broken after the unison/bi-directional sync is run. Whatever I add/modify on DC1 works 100% fine and lets me edit it either through DC1 or DC2. ==> GPO's created initially on DC2 will not be editable after unison has run, neither on DC1 and nor on DC2. ==> GPO's created initially on DC1 will be editable after unison has run on both DC1 and DC2 This is not what one would expect though, because I did expect I also can edit/add objects on DC2, but as I explained this is broken somehow. Any dev know more about that? I'm looking forward to hear from you. Mirco.
?icro MEGAS
2014-Nov-02 00:24 UTC
[Samba] DC2 denies access when saving through the G
Referring to Marc Muehlefeld who has wrote the script and the tutorial for unison/rsync bi-directional sysvol sync and this thread: http://samba.2283325.n4.nabble.com/Samba4-AD-SysVol-Replication-HowTo-Script-td4651469.html I think the inconsistence comes from the unison/rsync stuff. As Andreas on the mentioned thread said, csync is not capable of syncing extended ACL attributes which is necessary for sysvol syncing. But hey, I though about "csync2". But the PDF here (http://oss.linbit.com/csync2/paper.pdf) says it's not capable of syncing these extended ACL attributes, too. Damn it! :( So it seems that "rsync" is the only tool out there that can sync extended attributes through the -X switch? So, where's the problem then I am facing at the moment? Is it unison on any way? Mirco.
Chan Min Wai
2014-Nov-02 00:39 UTC
[Samba] DC2 denies access when saving through the Gro
Hi all, Just to check. Did the rsync and unison in the distor are compile with xattr? Would that be the cause? Regards, Chan Min Wai ?icro MEGAS <micromegas at mail333.com> ? 2 Nov 2014 8:07 PG ???>> OK, make sure that the two idmap.ldb files match and then run >> 'samba-tool ntacl sysvolreset' on both machines and see if this cured >> this problem. > > I did: > > root at dc1:~$ service sernet-samba-ad stop > root at dc2:~$ service sernet-samba-ad stop > root at dc2:~$ mv /var/lib/samba/private/idmap.ldb /root/idmap.ldb.bak > root at dc1:~$ scp /var/lib/samba/private/idmap.ldb dc2:/var/lib/samba/private/ > > then I ensured that /var/lib/samba/private/idmap.ldb is exactly the same on dc1 and dc2. then... > > root at dc1:~$ samba-tool ntacl sysvolreset > root at dc2:~$ samba-tool ntacl sysvolreset > root at dc1:~$ service sernet-samba-ad start > root at dc2:~$ service sernet-samba-ad start > > to be sure again I execute the sysvolreset command... > > root at dc1:~$ samba-tool ntacl sysvolreset > root at dc2:~$ samba-tool ntacl sysvolreset > > but when I execute "samba-tool ntacl sysvolcheck" I still get the uncaught exception error on dc1 and dc2 :( > Hi again, > > I followed https://wiki.samba.org/index.php/SysVol_Bidirectional_Replication#When_you_try_to_resync_the_folder and did a manual resync from dc1:/var/lib/samba/sysvol to dc2:/var/lib/samba/sysvol so I had a consistency again. The "samba-tool ntacl sysvolcheck" still fails with the uncaught exception error and I am not sure if this is a good sign. But independent of that I think I know why I am running into the issue that I described on that thread: > > When I add a new GPO on DC1, it has following owner and file mode: > > drwxrwx---+ 4 502 500 4,0K Nov 1 22:22 {1AC9641E-1234-47C7-8D8C-43A199220635} > > The owner of this new Group Policy Object is 502. That is my domain user "foo" which I has assigned the NIS/UNIX attribute uid=502 to. The group is 500 which is the gid=500 of my domain group "Domain Admins".After 5minutes the sysvol-sync (unison+rsync) is syncing that object successfully to DC2. When I do "ls -lh" on DC2 I get the same output. So fine so good, everything works fine and as expected until now. > > Now we do the reverse thing. I create a new GPO on DC2. The file mode on DC2 looks like that: > > drwxrwx---+ 3 502 500 4,0K Nov 1 22:29 {A783C43A-9DCA-434A-B28A-5E7D9C01EFD7} > > As we see the owner still is 502 that is equal to domain user "foo" and group id 500 which is "Domain Admins". After this object is synced to DC1, the object on DC1 thugh looks like that: > > drwxr-x---+ 3 root root 4,0K Nov 1 22:30 {A783C43A-9DCA-434A-B28A-5E7D9C01EFD7} > > So here's the culprit ==> When the unison/rsync bidirectional is syncing objects from DC1 to DC2 all is ok,the same owner and file attributes are synced. But objects synced from DC2 to DC1 change their owner/group and also the file modes. But *WHY* ? Is that a misconfiguration in the unison/rsync tutorial shown on https://wiki.samba.org/index.php/SysVol_Bidirectional_Replication > > Mirco. > > We see, the owner still is "foo" with uid=500 > Do things work if you test as "Administrator" (root) ? >> achim? > > Unfortunately not... when I login with "MYDOM\Administrator" on DC2 and cretae a new GPO it looks like that on DC2: > > drwxrwx---+ 4 root 500 4,0K Nov 2 00:52 {562AB030-6351-42C1-9850-D5B12BF45570} > > As soon as sysvol sync runs the directory on DC1 looks like that: > > drwxr-x---+ 3 root root 4,0K Nov 2 00:55 {562AB030-6351-42C1-9850-D5B12BF45570} > > On this step, I even can't edit the GPO on DC2 where it worked before the unison sync started. That means, that after unison runs something is written also on the DC2 side, because DC2 won't let me allow to edit the GPO anymore. At this step, the GPO seems already to be not accessible. > > The summary is: > ---------------------- > Whatever I create/modify on DC2 will be broken after the unison/bi-directional sync is run. > Whatever I add/modify on DC1 works 100% fine and lets me edit it either through DC1 or DC2. > > ==> GPO's created initially on DC2 will not be editable after unison has run, neither on DC1 and nor on DC2. > ==> GPO's created initially on DC1 will be editable after unison has run on both DC1 and DC2 > > This is not what one would expect though, because I did expect I also can edit/add objects on DC2, but as I explained this is broken somehow. > Any dev know more about that? I'm looking forward to hear from you. > > Mirco. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2014-Nov-02 09:17 UTC
[Samba] DC2 denies access when saving through the Gro
On 02/11/14 00:07, ?icro MEGAS wrote:>> OK, make sure that the two idmap.ldb files match and then run >> 'samba-tool ntacl sysvolreset' on both machines and see if this cured >> this problem. > I did: > > root at dc1:~$ service sernet-samba-ad stop > root at dc2:~$ service sernet-samba-ad stop > root at dc2:~$ mv /var/lib/samba/private/idmap.ldb /root/idmap.ldb.bak > root at dc1:~$ scp /var/lib/samba/private/idmap.ldb dc2:/var/lib/samba/private/ > > then I ensured that /var/lib/samba/private/idmap.ldb is exactly the same on dc1 and dc2. then... > > root at dc1:~$ samba-tool ntacl sysvolreset > root at dc2:~$ samba-tool ntacl sysvolreset > root at dc1:~$ service sernet-samba-ad start > root at dc2:~$ service sernet-samba-ad start > > to be sure again I execute the sysvolreset command... > > root at dc1:~$ samba-tool ntacl sysvolreset > root at dc2:~$ samba-tool ntacl sysvolreset > > but when I execute "samba-tool ntacl sysvolcheck" I still get the uncaught exception error on dc1 and dc2 :( > Hi again, > > I followed https://wiki.samba.org/index.php/SysVol_Bidirectional_Replication#When_you_try_to_resync_the_folder and did a manual resync from dc1:/var/lib/samba/sysvol to dc2:/var/lib/samba/sysvol so I had a consistency again. The "samba-tool ntacl sysvolcheck" still fails with the uncaught exception error and I am not sure if this is a good sign. But independent of that I think I know why I am running into the issue that I described on that thread: > > When I add a new GPO on DC1, it has following owner and file mode: > > drwxrwx---+ 4 502 500 4,0K Nov 1 22:22 {1AC9641E-1234-47C7-8D8C-43A199220635} > > The owner of this new Group Policy Object is 502. That is my domain user "foo" which I has assigned the NIS/UNIX attribute uid=502 to. The group is 500 which is the gid=500 of my domain group "Domain Admins".After 5minutes the sysvol-sync (unison+rsync) is syncing that object successfully to DC2. When I do "ls -lh" on DC2 I get the same output. So fine so good, everything works fine and as expected until now.NIS/UNIX attribute uid=502 ????? I hope you mean 'uidNumber=502' Rowland> > Now we do the reverse thing. I create a new GPO on DC2. The file mode on DC2 looks like that: > > drwxrwx---+ 3 502 500 4,0K Nov 1 22:29 {A783C43A-9DCA-434A-B28A-5E7D9C01EFD7} > > As we see the owner still is 502 that is equal to domain user "foo" and group id 500 which is "Domain Admins". After this object is synced to DC1, the object on DC1 thugh looks like that: > > drwxr-x---+ 3 root root 4,0K Nov 1 22:30 {A783C43A-9DCA-434A-B28A-5E7D9C01EFD7} > > So here's the culprit ==> When the unison/rsync bidirectional is syncing objects from DC1 to DC2 all is ok,the same owner and file attributes are synced. But objects synced from DC2 to DC1 change their owner/group and also the file modes. But *WHY* ? Is that a misconfiguration in the unison/rsync tutorial shown on https://wiki.samba.org/index.php/SysVol_Bidirectional_Replication > > Mirco. > > We see, the owner still is "foo" with uid=500 > Do things work if you test as "Administrator" (root) ? >> achim? > Unfortunately not... when I login with "MYDOM\Administrator" on DC2 and cretae a new GPO it looks like that on DC2: > > drwxrwx---+ 4 root 500 4,0K Nov 2 00:52 {562AB030-6351-42C1-9850-D5B12BF45570} > > As soon as sysvol sync runs the directory on DC1 looks like that: > > drwxr-x---+ 3 root root 4,0K Nov 2 00:55 {562AB030-6351-42C1-9850-D5B12BF45570} > > On this step, I even can't edit the GPO on DC2 where it worked before the unison sync started. That means, that after unison runs something is written also on the DC2 side, because DC2 won't let me allow to edit the GPO anymore. At this step, the GPO seems already to be not accessible. > > The summary is: > ---------------------- > Whatever I create/modify on DC2 will be broken after the unison/bi-directional sync is run. > Whatever I add/modify on DC1 works 100% fine and lets me edit it either through DC1 or DC2. > > ==> GPO's created initially on DC2 will not be editable after unison has run, neither on DC1 and nor on DC2. > ==> GPO's created initially on DC1 will be editable after unison has run on both DC1 and DC2 > > This is not what one would expect though, because I did expect I also can edit/add objects on DC2, but as I explained this is broken somehow. > Any dev know more about that? I'm looking forward to hear from you. > > Mirco.
Possibly Parallel Threads
- DC2 denies access when saving through the Group Policy M
- Re: Re: Re: DC2 denies access whe
- DC2 denies access when saving through the Group Policy Management Console
- Update3: easy - automated setup : Debian Wheezy with sernet samba 4.1 : sysvol replication with unison.
- Samba Wiki change suggestion